pkispawn takes a config file which can be used to override any parameter
in default.cfg. Any parameter in this file will be used instead of the
value in default.cfg. Any value not specified will take the default in
default.cfg.
The option is "pkispawn -f myconfig.cfg"
See man pkispawn and man pki_default.cfg for details and examples.
An example file would look something like:
[DEFAULT]
pki_admin_password=password123
pki_client_pkcs12_password=password123
pki_ds_password=password123
[CA]
pki_ca_signing_subject_dn=cn=<foo signing cert>,o=%(pki_security_domain_name)s
On Sat, 2014-08-16 at 14:22 -0700, Marc Sauton wrote:
On 08/16/2014 12:28 PM, Ricardo Alexander Alexander Perez Ricardez
wrote:
> Hi, I create a CA in Interactive way, with default values:
>
> pkispawn use this file: etc/pki/default.cfg
>
> This file contains the value: pki_ca_signing_subject_dn=cn=CA Signing
Certificate,o=%(pki_security_domain_name)s
>
> Therefore, the CA is created with the default value: "CA Signing
Certificate"
>
> I would change this to a more meaningful name, It’s possible update or change the
name “CA Signing Certificate” to a new value name?
>
> pkispawn use argument -u "update instance of specified subsystem",
It's possible to update the value using this option?
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users
It is in fact highly recommended to customize all the subject names, and
HTML pages if used.
cp -p /usr/share/pki/ca/conf/CS.cfg /usr/share/pki/ca/conf/CS.cfg.orig
vim /usr/share/pki/ca/conf/CS.cfg
...
preop.cert.signing.userfriendlyname=testms CA Signing Certificate
preop.cert.audit_signing.userfriendlyname=testms CA Audit Signing
Certificate
preop.cert.ocsp_signing.userfriendlyname=testms OCSP Signing Certificate
preop.cert.sslserver.userfriendlyname=testms SSL Server Certificate
preop.cert.subsystem.userfriendlyname=testms Subsystem Certificate
...
The u option of pkispawn was removed.
There is now a tool called pki-upgrade to update those config files or
template when there is a package update or a manual change, so the
existing instances can get the newer config files.
But in this case, the certificates need to be re-issued, so it is more a
change before creating a CA instance.
Thanks,
M.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users